What's New

Data-in-Use Protection on IBM Cloud Kubernetes Service Using Intel® SGX

Share this post:

Intel® Software Guard Extensions (Intel® SGX) bare metal worker nodes for IBM Cloud Kubernetes Service

The growth of container and microservices adoption across industry continues to accelerate at impressive rates. According to Forrester’s report on Container Security, 58% of developers report that their companies currently use containers or plan to use containers in the next 12 months.

However, according to the same report, security concerns about containers are still top of mind—43% of the respondents said that security was a challenge hindering container adoption. When we talk to our customers, their concerns revolve around understanding the security paradigm shift when using containers and microservices and providing the same level of isolation and insights that they get from on-prem compute resources.

Today, we are excited to announce Intel® Software Guard Extensions (Intel® SGX) bare metal worker nodes for IBM Cloud Kubernetes Service to help address some of the data protection concerns.

IBM Cloud Kubernetes Service

IBM Cloud Kubernetes Service is a managed Kubernetes offering to deliver powerful management tools, an intuitive user experience, and built-in security and isolation to enable rapid delivery of applications, all while leveraging advanced cloud services like blockchain, IoT, and AI through IBM Watson.

Announced in March 2018, bare metal worker nodes provide greater isolation and performance for containerized workloads. Now with the Intel® SGX capability, developers can protect their code and data through CPU hardened “enclaves” or a trusted execution environment (TEE)

Intel® SGX worker nodes on IBM Cloud Kubernetes Service

IBM Cloud Kubernetes Service provides ease of operations (multizone worker node clusters, HA master nodes, platform upgrades for security and open-source updates, and worker node auto-scaling) in a secure (access controls using resource groups, customer managed keys with IBM Key Protect, fine-grained access controls for IBM Cloud Container Registry and the Kubernetes Service with Identity and Access Manager) and compliant environment (HIPAA-ready, SOC 1, SOC 2 Type 1, ISAE 3402) where you want to run it (Tokyo MZR, San Jose, Oslo, Milan, and our existing data centers). With the support for Intel® SGX worker nodes, it brings those capabilities to your runtime memory protected workloads.

Provisioning

Take the following steps to provision Intel® SGX bare metal worker nodes on the IBM Cloud Kubernetes Service:

  1. Go to the IBM Cloud catalog and select Kubernetes Service under Containers:
  2. Click Create on the next screen:
  3. Select Bare Metal under Hardware isolation and choose the highlighted bare metal flavor (mb2c.4×32). The bare metal worker nodes come SGX-enabled in the BIOS:
  4. Bare metal server provisioning may take several hours. Once you have the cluster up, you will see the Normal status for the cluster:

Installing Intel® SGX driver and PSW

You can install Intel® SGX driver and PSW by deploying datashield-sgx-driver-psw-installer container to your cluster.

Example

You can find Intel® SGX-enabled container applications—MySQL, Vault, Nginx—in the IBM Cloud Container Registry public repositories. (Search for datashield-mysql/vault/nginx.)

The IBM Cloud docs on getting started are located here.

Engage us

If you have questions or concerns, engage our team on Slack. You can register here and join the discussion in the #general channel on https://ibm-container-service.slack.com/.

Christopher Rosen

Program Director, Offering Management, IBM Kubernetes Service & IBM Container Registry

More What's New stories
December 20, 2018

Announcing the Beta Launch of IBM Digital App Builder

Building a digital app is easy with the IBM Digital App Builder tool. Using this tool, a citizen developer can quickly build a smart app which contains the basic building blocks, connect to microservices, and embed AI services with ease.

Continue reading

December 20, 2018

Announcing Early Access of Voice Agent with Watson Analysis Dashboard

Announcing alpha availability of the Voice Agent with Watson dashboard, providing insights into usage of Watson over the phone.

Continue reading

December 14, 2018

IBM Cloud Functions Adds Native Support for Go 1.11

IBM Cloud Functions now natively supports Go. You can easily write function and process the input and the output with normal parameters and return values.

Continue reading